Collaboration


Add CAS SSL Certificate to Java’s keystore

Make sure that the $JAVA_HOME points to the correct JRE version that the Confluence is using.

# openssl s_client -showcerts -connect sso-server.mydomain.com:8445 2>/dev/null </dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | keytool -import -alias casalias -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts

Note: This is not to be confused with Confluences SSL certificate, this purely to get JAVA to recognise CAS servers SSL certificate.

Confluence SSL Certificate

To install a SSL Certificate follow Tomcat SSL Certificates

Install CAS Client libraries:

  1. Download latest Cas client from http://www.jasig.org/cas/download and transfer the file to CONFLUENCE_HOST
  2. Open SSH client and connect to CONFLUENCE_HOST.
  3. Username: root / ….
  4. Open a console and change directory (cd) to the directory that you have transferd the ‘*.tar.gz’ file
  5. Set confluence variables
    export CONFLUENCE_INSTALL=/opt/atlassian/confluence
    export CONFLUENCE_HOME=/var/atlassian/application-data/confluence
  6. Expand files
    tar -xzvf cas-client-X.Y.tar.gz
  7. Copy cas client files to confluence
    cp cas-client-X.Y/modules/cas-client-core-X.Y.jar $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/
    			cp cas-client-X.Y/modules/cas-client-integration-atlassian-X.Y.jar $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/

Modify the web.xml

Add the CAS Filters to the end of the filter list.
$CONFLUENCE_INSTALL/confluence/WEB-INF/web.xml

<!-- CAS:START - Java Client Filters -->
<filter>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>CasAuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://sso-server.mydomain.com:8445/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>https://wiki.mydomain.com:8090</param-value>
  </init-param>
</filter>
<filter>
    <filter-name>CasValidationFilter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https://sso-server.mydomain.com:8445/cas</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>https://wiki.mydomain.com:8090</param-value>
    </init-param>
    <init-param>
        <param-name>redirectAfterValidation</param-name>
        <param-value>false</param-value>
    </init-param>
</filter>
<!--- CAS:END -->

Before the login filter-mapping add:

$CONFLUENCE_INSTALL/confluence/WEB-INF/web.xml

<!-- CAS:START - Java Client Filter Mappings -->
<filter-mapping>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasAuthenticationFilter</filter-name>
    <url-pattern>/login.action</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS:END -->

Add the Single Sign Out listener to the list of listener list too
$CONFLUENCE_INSTALL/confluence/WEB-INF/web.xml

<!-- CAS:START - Java Client Single Sign Out Listener -->
<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- CAS:END -->

Modify the seraph-config.xml

CAS Login links

$CONFLUENCE_INSTALL/confluence/WEB-INF/classes/seraph-config.xml

<init-param>
    <param-name>login.url</param-name>
    <!--<param-value>/login.action?os_destination=${originalurl}</param-value>-->
    <param-value>https://sso-server.mydomain.com:8445/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
    <param-name>link.login.url</param-name>
    <!--<param-value>/login.action</param-value>-->
    <param-value>https://sso-server.mydomain.com:8445/cas/login?service=${originalurl}</param-value>
</init-param>

CAS Authenticator

Comment out the DefaultAuthenticator and add in the JASIG CAS Confluence Authenticator
$CONFLUENCE_INSTALL/confluence/WEB-INF/classes/seraph-config.xml

<!-- CAS:START - Java Client Confluence Authenticator -->
<authenticator class="org.jasig.cas.client.integration.atlassian.ConfluenceCasAuthenticator"/>
<!-- CAS:END -->

CAS Logout instead of Confluence logout

Atlassian doesn’t support a config option yet (like Jira), please vote up the feature request here: http://jira.atlassian.com/browse/CONF-4931
To rely on the Single Sign Out functionality to sign off of Confluence we need to modify the logout link

  1. Copy $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/confluence-x.x.x.jar to a temporary directory
    mkdir /tmp/confluence-jar && cp WEB-INF/lib/confluence-3.0.1.jar /tmp/confluence-jar
  2. Unpack the jar
    cd /tmp/confluence-jar && jar xvf confluence-3.0.1.jar
  3. Copy xwork.xml to $CONFLUENCE_INSTALL/WEB-INF/classes
    cp xwork.xml $CONFLUENCE_INSTALL/WEB-INF/classes/ && cd $CONFLUENCE_INSTALL/WEB-INF/classes/
  4. Edit $CONFLUENCE_INSTALL/WEB-INF/classes/xwork.xml, find the logout action and comment out the success result and replace it with this one
    $CONFLUENCE_INSTALL/confluence/WEB-INF/classes/xwork.xml
    <!--            <result name="success" type="velocity">/logout.vm</result> -->
    <!-- CAS:START - CAS Logout Redirect -->
    <result name="success" type="redirect">https://sso-server.mydomain.com:8445/cas/logout</result>
    <!-- CAS:END -->
Advertisements
  1. Set Zimbra to use HTTPS

    su - zimbra -c "/opt/zimbra/bin/zmtlsctl redirect"
  2. Configure the Zimbra CACerts keystore

    Import your CAS Server certificates (cert and chain if you have one) into the Zimbra CACerts Keystore by executing following commands with the root user :

    /opt/zimbra/java/bin/keytool -import -file casserver.cert -alias cascert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    /opt/zimbra/java/bin/keytool -import -file casserver.chain -alias caschain -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  3. Import the Java CAS Client library

    This library is usable for implementing custom CAS functionality and for simply CASifying web applications by application of a filter.

    1. Download it from http://www.ja-sig.org/downloads/cas-clients/. The client version 3.1.x is working fine with Zimbra 6.0.x and CAS Server 3.3.x.
    2. Copy the cas-client-core-3.1.x.jar into /opt/zimbra/jetty/common/lib.
  4. Modify web.xml files

    1. Zimbra Webapp

      Backup the current zimbra.web.xml.in

      cp /opt/zimbra/jetty/etc/zimbra.web.xml.in /opt/zimbra/jetty/etc/zimbra.web.xml.in.bak

      Add following lines to /opt/zimbra/jetty/etc/zimbra.web.xml.in before the first <servlet> section (~line 230) and replace sso-server.mymydomain.com:8445 and webmail.mymydomain.com
      Default ports are 8443 for the CAS Server and 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) :

    2. ZimbraAdmin Webapp

      Backup the current zimbraAdmin.web.xml.in

      cp /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in.bak

      Add following lines to /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in before the first <servlet> section (~line 230), and replace sso-server.mymydomain.com:8445 and webmail.mymydomain.com:7071.
      Default ports are 8443 for the CAS Server and 7071 for the Zimbra Admin Console.

  5. Create the PreAuth key

    Execute the following command with the Zimbra user :

    zmprov gdpak mymydomain.com

    This will create the PreAuth key “359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9”.

  6. Create preauth.jsp files

    1. Zimbra Webapp
      1. Copy the preauth.jsp-zimbra file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp.
      2. Replace the DOMAIN_KEY with the key you previously generate with zmprov:
        public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";
      3. Replace yourdomaine.com with your domain at line 90.
      4. Execute the following command with the root user :
        chown zimbra:zimbra /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp
    2. ZimbraAdmin Webapp
      1. Copy the preauth.jsp-zimbraadmin file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp.
      2. Replace the DOMAIN_KEY with the key you previously generate with zmprov:
        public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";
      3. Replace yourdomaine.com with your domain at line 92.
      4. Execute the following command with the root user :
        chown zimbra:zimbra /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp
  7. Replace login and logout URLs

    Execute following commands as the Zimbra user :

    zmprov md webmail.mymydomain.com zimbraWebClientLoginURL https://webmail.mymydomain.com/zimbra/public/preauth.jsp
    zmprov md webmail.mymydomain.com zimbraWebClientLogoutURL https://sso-server.mymydomain.com:8445/cas/logout
    zmprov md webmail.mymydomain.com zimbraAdminConsoleLoginURL https://webmail.mymydomain.com:7071/zimbraAdmin/public/preauth.jsp
    zmprov md webmail.mymydomain.com zimbraAdminConsoleLogoutURL https://sso-server.mymydomain.com:8445/cas/logout

    Replace sso-server.mymydomain.com:port and webmail.mymydomain.com:port.

    Default ports are 8443 for the CAS Server, 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) and 7071 for the Zimbra Admin Console.

  8. Zimbra Admin logout to remove SSO ticket
    In order to logout from Zimbra Admin and remove SSO ticket, the following compressed Javascript file within Zimbra installation had to be changed:

    mkdir /root/workspace
    cd /root/workspace
    cp /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz.bak
    cp /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz .
    gunzip -S zgz Admin_all.js.zgz

    Above will expand file “Admin_all.js.” Open the file in your prefered text editor and append the following line

    if (location.pathname=="/zimbraAdmin/") { o = https://sso-server.mymydomain.com:8445/cas/logout;}

    after line

    var o=location.protocol+"//"+location.hostname+((location.port=="80")?"":":"+location.port)+location.pathname+location.search;

    in to logoff function so it looks like

    ZaZimbraAdmin.logOff=function(){
    ZmCsfeCommand.clearAuthToken();
    window.onbeforeunload=null;
    var t=DwtShell.getShell(window);
    t.setBusy(true);
    var o=location.protocol+"//"+location.hostname+((location.port=="80")?"":":"+location.port)+location.pathname+location.search;
    if (location.pathname=="/zimbraAdmin/") {
    }
    var e=new AjxTimedAction(null,ZaZimbraAdmin.redir,[o]);
    AjxTimedAction.scheduleAction(e,100)
    };

    Now compress the file back and copy back to original folder, please note the period symbol “.” following filename

    gzip -S zgz Admin_all.js.
    cp Admin_all.js.zgz /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz
  9. Restart Zimbra

    Execute the following command with the Zimbra user :

    zmcontrol restart